Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google redirect/Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google redirect/Malware

Unread postby Astrum » March 2nd, 2011, 11:59 pm

Hello,

I am using an Asus netbook (connected to a home network) that runs with Windows XP (sp3) and IE 8. Recently all of my Google searches redirect me to random and highly annoying ad sites or send me to the approprate site but with bonus ad windows popping up (though apprently I'm the lucky winner of an Apple ipad 23x - YAY!).

I assume that I have some sort of malware problem in my system but I am not sophisticated enough to find the source. Any help with this issue would greatly be appreciated.

Thanks,
Astrum

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:25:19 PM, on 02/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [LiveUpdate] C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Yweker] rundll32.exe "C:\WINDOWS\uviquwamoh.dll",Startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Nmaliwelohaw] rundll32.exe "C:\WINDOWS\l32rap.dll",Startup
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe -update activex
O4 - HKUS\S-1-5-21-3380936620-2339703424-1300860077-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Fok-Han')
O4 - HKUS\S-1-5-21-3380936620-2339703424-1300860077-1006\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe (User 'Fok-Han')
O4 - HKUS\S-1-5-21-3380936620-2339703424-1300860077-1006\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Fok-Han')
O4 - S-1-5-21-3380936620-2339703424-1300860077-1006 Startup: Dropbox.lnk = C:\Documents and Settings\Fok-Han\Application Data\Dropbox\bin\Dropbox.exe (User 'Fok-Han')
O4 - S-1-5-21-3380936620-2339703424-1300860077-1006 User Startup: Dropbox.lnk = C:\Documents and Settings\Fok-Han\Application Data\Dropbox\bin\Dropbox.exe (User 'Fok-Han')
O4 - Global Startup: SuperHybridEngine.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe

--
End of file - 9493 bytes

Uninintall List
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Asus ACPI Driver
ASUS USB2.0 UVC VGA WebCam
ASUS VIBE
ASUSUpdate for Eee PC
Atheros Client Installation Program
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Bonjour
Choice Guard
Cisco Connect
Citrix Presentation Server Client - Web Only
Compatibility Pack for the 2007 Office system
Data Sync
ebi.BookReader3J
Eee Docking 1.3.6.0
EeeSplendid
EzMessenger
FontResizer
HardCopy Pro V1.51
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 21
Junk Mail filter update
Kobo
Lexmark Software Uninstall
LiveUpdate
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Palm Desktop by ACCESS
PEPID PCP for Palm OS
QuickTime
Ralink RT2860 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype web features
Skype™ 4.2
Super Hybrid Engine
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 UVC Camera Device
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm
Advertisement
Register to Remove

Re: Google redirect/Malware

Unread postby askey127 » March 3rd, 2011, 8:00 am

Hi Astrum,
Quite a few things to do here, but each item should be straightforward.
Please do them in the order given.
We are removing your obsolete versions of Adobe Reader and Java runtine. We will replace them later.
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Yweker] rundll32.exe "C:\WINDOWS\uviquwamoh.dll",Startup
O4 - HKCU\..\Run: [Nmaliwelohaw] rundll32.exe "C:\WINDOWS\l32rap.dll",Startup

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------
Download the Antivir Free Installer
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
Double check to be sure you know where to find it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Adobe Reader 8.1.1
Java(TM) 6 Update 21

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Install Antivir
Double click the Avira Antivir Installer you saved on your desktop, and let it Install Antivir.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
Have it Delete any items it finds.
-----------------------------------------------
Get Last Avira Antivir Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby Astrum » March 3rd, 2011, 1:10 pm

Hi askey127,

Thank you so much for the fast response. I have done as you instructed: removed 2 programs (Adobe and Java) and performed a full system scan using Avira AntiVir. I believe AntiVir was able to quarantine most of the viruses it found except the Avira Guard keeps telling me that it has found the "TR/ATRAPS.Gen " in "C:\\WINDOWS\system32\k.dll" and access to the file is denied. I've tried to remove it about 10 times and the scan runs fully but the Guard continues to keep detecting the same malware. Should I delete the "TR/ATRAPS.Gen" file from quarantine?

With heartfelt thanks,
Astrum

System Scan Log:
Avira AntiVir Personal
Report file date: March 3, 2011 10:14

Scanning for 2454761 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ASUS

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 1/10/2011 19:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 1/10/2011 19:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:23:50
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 15:06:29
VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 15:06:29
VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 15:06:29
VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 15:06:30
VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 15:06:30
VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 15:06:30
VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 15:06:30
VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 15:06:30
VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 15:06:30
VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 15:06:31
VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 15:06:31
VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 15:06:31
VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 15:06:32
VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 15:06:32
VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 15:06:33
VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 15:06:33
VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 15:06:34
VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 15:06:34
VBASE020.VDF : 7.11.4.34 2048 Bytes 3/2/2011 15:06:34
VBASE021.VDF : 7.11.4.35 2048 Bytes 3/2/2011 15:06:35
VBASE022.VDF : 7.11.4.36 2048 Bytes 3/2/2011 15:06:35
VBASE023.VDF : 7.11.4.37 2048 Bytes 3/2/2011 15:06:35
VBASE024.VDF : 7.11.4.38 2048 Bytes 3/2/2011 15:06:35
VBASE025.VDF : 7.11.4.39 2048 Bytes 3/2/2011 15:06:35
VBASE026.VDF : 7.11.4.40 2048 Bytes 3/2/2011 15:06:35
VBASE027.VDF : 7.11.4.41 2048 Bytes 3/2/2011 15:06:36
VBASE028.VDF : 7.11.4.42 2048 Bytes 3/2/2011 15:06:36
VBASE029.VDF : 7.11.4.43 2048 Bytes 3/2/2011 15:06:36
VBASE030.VDF : 7.11.4.44 2048 Bytes 3/2/2011 15:06:36
VBASE031.VDF : 7.11.4.51 31744 Bytes 3/3/2011 15:06:36
Engineversion : 8.2.4.178
AEVDF.DLL : 8.1.2.1 106868 Bytes 1/10/2011 19:23:26
AESCRIPT.DLL : 8.1.3.55 1282426 Bytes 3/3/2011 15:06:45
AESCN.DLL : 8.1.7.2 127349 Bytes 1/10/2011 19:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 1/10/2011 19:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 1/10/2011 19:23:25
AEPACK.DLL : 8.2.4.11 520566 Bytes 3/3/2011 15:06:44
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 3/3/2011 15:06:43
AEHEUR.DLL : 8.1.2.81 3314038 Bytes 3/3/2011 15:06:43
AEHELP.DLL : 8.1.16.1 246134 Bytes 3/3/2011 15:06:39
AEGEN.DLL : 8.1.5.2 397683 Bytes 3/3/2011 15:06:38
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/10/2011 19:23:18
AECORE.DLL : 8.1.19.2 196983 Bytes 3/3/2011 15:06:38
AEBB.DLL : 8.1.1.0 53618 Bytes 1/10/2011 19:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/10/2011 19:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/10/2011 19:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 19:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 1/10/2011 19:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 1/10/2011 19:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 1/10/2011 19:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/10/2011 19:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 1/10/2011 19:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 19:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 1/10/2011 19:23:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,

Start of the scan: March 3, 2011 10:14

Starting search for hidden objects.
c:\program files\eeepc\acpi\asacpisvr.exe
c:\program files\eeepc\acpi\asacpisvr.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'iexplore.exe' - '95' Module(s) have been scanned
Scan process 'iexplore.exe' - '71' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '96' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '63' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avgnt.exe' - '57' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'avguard.exe' - '69' Module(s) have been scanned
Scan process 'iPodService.exe' - '32' Module(s) have been scanned
Scan process 'igfxext.exe' - '32' Module(s) have been scanned
Scan process 'Hotsync.exe' - '70' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'msmsgs.exe' - '50' Module(s) have been scanned
Scan process 'Eee Docking.exe' - '27' Module(s) have been scanned
Scan process 'ctfmon.exe' - '32' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '74' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '43' Module(s) have been scanned
Scan process 'LiveUpdate.exe' - '51' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '34' Module(s) have been scanned
Scan process 'AsTray.exe' - '39' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '34' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '26' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '45' Module(s) have been scanned
Scan process 'hkcmd.exe' - '33' Module(s) have been scanned
Scan process 'igfxtray.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '116' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'SeaPort.exe' - '47' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '35' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '51' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'spoolsv.exe' - '56' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '170' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '38' Module(s) have been scanned
Scan process 'winlogon.exe' - '72' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '2285' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-100630-244A3CA0\ARK17.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-100757-6B4BE798\ARK16.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-101131-1E1729D0\ARK18.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-101252-4543361C\ARK19.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Documents and Settings\Fok-Han\Application Data\Sun\Java\Deployment\cache\6.0\31\67eb9adf-1361e2f0
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Mesdeh.D Java virus
--> a6a7a760c0e
[DETECTION] Contains recognition pattern of the JAVA/Mesdeh.D Java virus
--> a66d578f084.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.EZ Java virus
--> ab16db71cdc.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FH Java virus
--> ae28546890f.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FJ Java virus
--> af439f03798.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FK Java virus
C:\Documents and Settings\Susan\My Documents\USB key files\Quickbooks Modules 1 to 4\PDF and support Files\Other Files\atplay.exe
[0] Archive type: CAB SFX (self extracting)
[DETECTION] Contains virus patterns of Adware ADWARE/Agent.62464.1
--> \Disk1\ieatgpc.dll
[DETECTION] Contains virus patterns of Adware ADWARE/Agent.62464.1
C:\WINDOWS\l32rap.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\WINDOWS\system32\k.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan

Beginning disinfection:
C:\WINDOWS\system32\k.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5f134495.qua'.
C:\WINDOWS\l32rap.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '0d3e15f2.qua'.
C:\Documents and Settings\Susan\My Documents\USB key files\Quickbooks Modules 1 to 4\PDF and support Files\Other Files\atplay.exe
[DETECTION] Contains virus patterns of Adware ADWARE/Agent.62464.1
[NOTE] The file was moved to the quarantine directory under the name '6b775a71.qua'.
C:\Documents and Settings\Fok-Han\Application Data\Sun\Java\Deployment\cache\6.0\31\67eb9adf-1361e2f0
[DETECTION] Contains recognition pattern of the JAVA/Agent.FK Java virus
[NOTE] The file was moved to the quarantine directory under the name '2ef8770a.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-101252-4543361C\ARK19.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1d3562fd.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-101131-1E1729D0\ARK18.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c770de7.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-100757-6B4BE798\ARK16.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '39431a4e.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110303-100630-244A3CA0\ARK17.tmp
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '46e0131d.qua'.


End of the scan: March 3, 2011 11:38
Used time: 1:20:24 Hour(s)

The scan has been done completely.

9861 Scanned directories
281116 Files were scanned
12 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
8 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
281104 Files not concerned
6676 Archives were scanned
0 Warnings
3 Notes
367685 Objects were scanned with rootkit scan
1 Hidden objects were found
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby askey127 » March 3rd, 2011, 3:30 pm

Astrum,
That behavior is OK.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    (Vista - W7 users: Right-click and select "Run As Administrator")
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (dd.mm.yyyy_hh.mm.ss is the time stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.
-----------------------------------------------
Please download MiniToolBox and run it.
Check the following in the list:
  • Flush DNS
  • List IP configuration
  • List Windows version, partitions, and memory size
Click GO and post the result (Result.txt).

So we are looking for the log from TDSSKiller and the report from the MiniToolBax.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby Astrum » March 3rd, 2011, 5:18 pm

Thanks again for your continued help. Makes me almost believe that the Internet isn't inherently evil :)

I completed both diagnostics and the results are posted below. The TDSSKiller scan found nothing to cure. What's the next step?

Gracias,
Astrum

TDSSKiller Results:
2011/03/03 16:02:58.0156 0476 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/03 16:02:58.0406 0476 ================================================================================
2011/03/03 16:02:58.0406 0476 SystemInfo:
2011/03/03 16:02:58.0406 0476
2011/03/03 16:02:58.0406 0476 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/03 16:02:58.0406 0476 Product type: Workstation
2011/03/03 16:02:58.0406 0476 ComputerName: ASUS
2011/03/03 16:02:58.0406 0476 UserName: Susan
2011/03/03 16:02:58.0406 0476 Windows directory: C:\WINDOWS
2011/03/03 16:02:58.0406 0476 System windows directory: C:\WINDOWS
2011/03/03 16:02:58.0406 0476 Processor architecture: Intel x86
2011/03/03 16:02:58.0406 0476 Number of processors: 2
2011/03/03 16:02:58.0406 0476 Page size: 0x1000
2011/03/03 16:02:58.0406 0476 Boot type: Normal boot
2011/03/03 16:02:58.0406 0476 ================================================================================
2011/03/03 16:02:58.0765 0476 Initialize success
2011/03/03 16:03:04.0953 2892 ================================================================================
2011/03/03 16:03:04.0953 2892 Scan started
2011/03/03 16:03:04.0953 2892 Mode: Manual;
2011/03/03 16:03:04.0953 2892 ================================================================================
2011/03/03 16:03:05.0500 2892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/03 16:03:05.0546 2892 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/03/03 16:03:05.0656 2892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/03 16:03:05.0734 2892 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/03 16:03:06.0109 2892 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/03/03 16:03:06.0500 2892 AR5416 (e0ee769d14128014965e03b433f5f46e) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/03/03 16:03:06.0843 2892 AsUpIO (e67493490466b5f04b58c22d2590e8ca) C:\WINDOWS\system32\drivers\AsUpIO.sys
2011/03/03 16:03:06.0906 2892 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2011/03/03 16:03:06.0984 2892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/03 16:03:07.0046 2892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/03 16:03:07.0218 2892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/03 16:03:07.0265 2892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/03 16:03:07.0500 2892 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/03/03 16:03:07.0640 2892 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/03/03 16:03:07.0687 2892 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/03/03 16:03:07.0781 2892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/03 16:03:08.0140 2892 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/03 16:03:08.0265 2892 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/03 16:03:08.0359 2892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/03 16:03:08.0406 2892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/03 16:03:08.0500 2892 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/03 16:03:08.0703 2892 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/03 16:03:08.0796 2892 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/03 16:03:09.0015 2892 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/03 16:03:09.0125 2892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/03 16:03:09.0265 2892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/03 16:03:09.0312 2892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/03 16:03:09.0390 2892 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/03 16:03:09.0531 2892 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/03 16:03:09.0656 2892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/03 16:03:09.0796 2892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/03 16:03:09.0859 2892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/03 16:03:09.0921 2892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/03 16:03:09.0984 2892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/03 16:03:10.0078 2892 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/03/03 16:03:10.0234 2892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/03 16:03:10.0281 2892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/03 16:03:10.0375 2892 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/03 16:03:10.0421 2892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/03 16:03:10.0500 2892 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/03 16:03:10.0593 2892 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/03 16:03:10.0765 2892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/03 16:03:10.0921 2892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/03 16:03:11.0234 2892 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/03/03 16:03:11.0562 2892 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\drivers\iaStor.sys
2011/03/03 16:03:11.0703 2892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/03 16:03:12.0015 2892 IntcAzAudAddService (9037c8bd3e896d7f2803a171fdeaeef4) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/03 16:03:12.0281 2892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/03 16:03:12.0343 2892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/03 16:03:12.0375 2892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/03 16:03:12.0468 2892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/03 16:03:12.0531 2892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/03 16:03:12.0625 2892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/03 16:03:12.0687 2892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/03 16:03:12.0781 2892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/03 16:03:12.0875 2892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/03 16:03:12.0937 2892 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/03 16:03:13.0031 2892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/03 16:03:13.0171 2892 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/03 16:03:13.0250 2892 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
2011/03/03 16:03:13.0468 2892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/03 16:03:13.0546 2892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/03 16:03:13.0640 2892 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/03/03 16:03:13.0750 2892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/03 16:03:13.0828 2892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/03 16:03:13.0906 2892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/03 16:03:14.0000 2892 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/03 16:03:14.0078 2892 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/03 16:03:14.0250 2892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/03 16:03:14.0312 2892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/03 16:03:14.0375 2892 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/03 16:03:14.0421 2892 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/03 16:03:14.0500 2892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/03 16:03:14.0593 2892 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/03 16:03:14.0656 2892 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/03 16:03:14.0703 2892 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/03 16:03:14.0796 2892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/03 16:03:14.0859 2892 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/03 16:03:14.0921 2892 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/03 16:03:15.0046 2892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/03 16:03:15.0078 2892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/03 16:03:15.0156 2892 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/03 16:03:15.0203 2892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/03 16:03:15.0281 2892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/03 16:03:15.0484 2892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/03 16:03:15.0562 2892 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/03 16:03:15.0765 2892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/03 16:03:15.0828 2892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/03 16:03:15.0875 2892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/03 16:03:15.0937 2892 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/03/03 16:03:16.0046 2892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/03 16:03:16.0109 2892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/03 16:03:16.0171 2892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/03 16:03:16.0250 2892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/03 16:03:16.0421 2892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/03 16:03:16.0500 2892 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/03 16:03:16.0859 2892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/03 16:03:16.0921 2892 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/03 16:03:16.0968 2892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/03 16:03:17.0234 2892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/03 16:03:17.0296 2892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/03 16:03:17.0390 2892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/03 16:03:17.0437 2892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/03 16:03:17.0500 2892 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/03 16:03:17.0625 2892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/03 16:03:17.0718 2892 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/03 16:03:17.0812 2892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/03 16:03:17.0968 2892 RT80x86 (97b59ce2cfbb0884a16ddd8f1781812b) C:\WINDOWS\system32\DRIVERS\RT2860.sys
2011/03/03 16:03:18.0171 2892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/03 16:03:18.0265 2892 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/03 16:03:18.0343 2892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/03 16:03:18.0484 2892 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/03 16:03:18.0703 2892 SNP2UVC (473f35e2a378b854731e67c377a3bea7) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2011/03/03 16:03:18.0921 2892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/03 16:03:19.0015 2892 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/03 16:03:19.0093 2892 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/03 16:03:19.0203 2892 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/03/03 16:03:19.0312 2892 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/03 16:03:19.0390 2892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/03 16:03:19.0468 2892 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/03 16:03:19.0765 2892 SynTP (8e25a1dbb8527b2074af9b682f818768) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/03/03 16:03:19.0843 2892 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/03 16:03:19.0953 2892 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/03 16:03:20.0109 2892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/03 16:03:20.0140 2892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/03 16:03:20.0218 2892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/03 16:03:20.0390 2892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/03 16:03:20.0531 2892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/03 16:03:20.0734 2892 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/03 16:03:20.0796 2892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/03 16:03:20.0875 2892 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/03 16:03:20.0921 2892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/03 16:03:21.0046 2892 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/03 16:03:21.0109 2892 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/03 16:03:21.0187 2892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/03 16:03:21.0250 2892 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/03 16:03:21.0328 2892 uvclf (c019889035cdc1a06f2febc93cbb6897) C:\WINDOWS\system32\DRIVERS\uvclf.sys
2011/03/03 16:03:21.0453 2892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/03 16:03:21.0562 2892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/03 16:03:21.0687 2892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/03 16:03:21.0750 2892 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/03/03 16:03:21.0875 2892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/03 16:03:22.0218 2892 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/03 16:03:22.0281 2892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/03 16:03:22.0328 2892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/03 16:03:22.0750 2892 ================================================================================
2011/03/03 16:03:22.0750 2892 Scan finished
2011/03/03 16:03:22.0750 2892 ================================================================================
2011/03/03 16:03:42.0109 2736 Deinitialize success

MiniToolBox Result:
MiniToolBox by Farbar
Ran by Susan at 2011-03-03 16:04:35
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


================= Flush DNS: ==============================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


================= End of Flush DNS ========================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : ASUS

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : phub.net.cable.rogers.com



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 90-E6-BA-7A-12-F2



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : phub.net.cable.rogers.com

Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter

Physical Address. . . . . . . . . : 00-25-D3-8C-7E-C1

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.117

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 64.71.255.198

Lease Obtained. . . . . . . . . . : March 3, 2011 3:54:06 PM

Lease Expires . . . . . . . . . . : March 4, 2011 3:54:06 PM

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: google.com
Addresses: 74.125.225.18, 74.125.225.19, 74.125.225.17, 74.125.225.20
74.125.225.16



Pinging google.com [74.125.225.20] with 32 bytes of data:



Reply from 74.125.225.20: bytes=32 time=1ms TTL=56

Reply from 74.125.225.20: bytes=32 time=1ms TTL=56



Ping statistics for 74.125.225.20:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=3ms TTL=53

Reply from 67.195.160.76: bytes=32 time=2ms TTL=53



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 3ms, Average = 2ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...90 e6 ba 7a 12 f2 ...... Atheros AR8132 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
0x3 ...00 25 d3 8c 7e c1 ...... Atheros AR9285 Wireless Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.117 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.117 192.168.1.117 20
192.168.1.0 255.255.255.0 192.168.1.117 192.168.1.117 25
192.168.1.117 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.117 192.168.1.117 25
224.0.0.0 240.0.0.0 192.168.1.117 192.168.1.117 25
255.255.255.255 255.255.255.255 192.168.1.117 192.168.1.117 1
255.255.255.255 255.255.255.255 192.168.1.117 2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Memory info: ====================================

Percentage of memory in use: 42%
Total physical RAM: 1015.17 MB
Available physical RAM: 582.61 MB
Total Pagefile: 2441.96 MB
Available Pagefile: 2079.47 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.54 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:144.12 GB) (Free:121.29 GB) NTFS
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby askey127 » March 3rd, 2011, 7:57 pm

Astrum,
That's good. Probably no rootkit with infected system files.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVIRA ANTIVIR
    Please navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this:Image )
    • Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.
    • You should now see a closed umbrella on a red background (looks like this: Image )
    The AntiVir Guards are now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Antivir protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby Astrum » March 4th, 2011, 1:39 pm

I downloaded Combofix and ran it. The laptop has some quirks now when it starts up. Sometimes it doesn't load the desktop properly (so it is just with the background) or it decides to log off by itself. Hopefully these are just temporary.

Thanks,
Astrum

Combo Fix Log
ComboFix 11-03-03.04 - Susan 04/03/2011 12:11:52.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.583 [GMT -5:00]
Running from: c:\documents and settings\Susan\Desktop\zzz.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Susan\Local Settings\Application Data\{FC8864A8-A515-48FA-A6BF-DFD792C6069A}
c:\documents and settings\Susan\Local Settings\Application Data\{FC8864A8-A515-48FA-A6BF-DFD792C6069A}\chrome.manifest
c:\documents and settings\Susan\Local Settings\Application Data\{FC8864A8-A515-48FA-A6BF-DFD792C6069A}\chrome\content\_cfg.js
c:\documents and settings\Susan\Local Settings\Application Data\{FC8864A8-A515-48FA-A6BF-DFD792C6069A}\chrome\content\overlay.xul
c:\documents and settings\Susan\Local Settings\Application Data\{FC8864A8-A515-48FA-A6BF-DFD792C6069A}\install.rdf
C:\install.exe
c:\program files\Java
c:\program files\Java\jre6\lib\ext\dns_sd.jar
c:\program files\Java\jre6\lib\ext\QTJava.zip
c:\windows\system32\Thumbs.db
.
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-02-04 to 2011-03-04 )))))))))))))))))))))))))))))))
.

2011-03-03 15:12 . 2011-03-03 15:12 -------- d-----w- c:\documents and settings\Susan\Application Data\Avira
2011-03-03 15:10 . 2011-03-03 15:10 -------- d-----w- c:\windows\system32\NtmsData
2011-03-03 15:03 . 2011-01-10 19:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-03 15:03 . 2011-01-10 19:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-03 15:03 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-03 15:03 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-03 15:03 . 2011-03-03 15:03 -------- d-----w- c:\program files\Avira
2011-03-03 15:03 . 2011-03-03 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-03-03 03:24 . 2011-03-03 03:24 388096 ----a-r- c:\documents and settings\Susan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2009-08-11 13:03 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-08-11 13:03 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-08-11 13:03 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2009-08-11 13:03 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2009-08-11 13:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2009-08-11 13:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2009-08-11 13:03 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2009-08-11 13:03 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2009-08-11 13:03 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2009-08-11 13:03 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2009-08-11 13:03 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------

[-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-07-27 397312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2010-01-29 751592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-12-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-8-11 376832]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Fok-Han\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [28/05/2010 8:49 AM 11448]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/03/2011 10:03 AM 135336]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [27/04/2009 8:59 PM 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [28/04/2009 12:47 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/08/2009 2:00 PM 1684736]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS --> c:\windows\system32\drivers\AmUStor.SYS [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [20/08/2009 7:24 AM 1015424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe


.
**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-04 12:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-04 12:23:19
ComboFix-quarantined-files.txt 2011-03-04 17:23
.
Pre-Run: 130,142,093,312 bytes free
Post-Run: 133,781,610,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A04A2B14567E637D02775F39CCA4AA4E
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby askey127 » March 4th, 2011, 2:56 pm

Astrum,
------------------------------------------------------
You have an extremely dangerous infection on the machine. It is called Bamital.D
It is dangerous on two fronts.


First:
Warning - Compromised Data
Because the infection has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.
Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.
I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.
That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well. Use a clean PC (not this one) to make the changes.

Second:
Bamital.D is an infection, peddled by criminals, with an attitude that they will own your computer or they will trash it.
In the process, they have created an infection that is somewhat risky to fix.
They have corrupted two critical Windows files, without which Windows will not boot or operate correctly.
The likelihood of a total PC failure while trying to "FIX" it is a possibility.

Now, what to do
Before we attack the infection, you should be absolutely clear about the following:
  • If the attempt to fix your machine fails, it will likely fail to boot.
  • You need to make backups of every important data file, document, etc. on the machine that is important to you. Save to CDs, DVDs, flash drives, or external hard drive.
  • Get your User Guide and be SURE you know how to do a complete System Recovery. If fixing this infection fails, this is what you will need to do.
    This is usually done by hitting a certain Function key as the machine starts.
    This is the "drastic" recovery method that puts your machine's C: drive back to the exact state it was in when you purchased it. Any choice to do a "Repair Install" which leaves the programs intact, will fail.
    A full System Recovery would mean re-installing all programs over again.
    After Recovery, the system would need to be updated immediately by connecting to Microsoft and getting all the Updates.
  • If you do not have a commercial PC machine with a System Recovery, you will need to locate the CD with the Windows operating system on it, and your key code, because you will need to reformat the drive and re-install Windows.
  • Locate any System Disks you have, from when you bought the machine.
  • You cannot continue with a machine controlled by criminals. They can send out spam, e-mails, and infections using your machine as the perpetrator.

So, please do your homework, tell me your status, and if/when you are ready to proceed.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby Astrum » March 5th, 2011, 2:26 am

AARRGH!! You are freaking me out here!

Obviously we check and perform all sorts of private transactions online using our netbook so what you are telling me is definitely not good news. Two questions:

1. Is it even safe to copy and transfer files over from the infected machine or will the files potentially carry the virus with them and possibly infect other computers?

2. Can/should I download Microsoft Security Essentials (ew) and see if it will clear the infection?

(s)A(d)trum
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby Astrum » March 5th, 2011, 2:32 am

Bonus questions:

How did you know out of all the zillions of tojans/viruses/malwares out there, that my machine is infected with Bamital.D? Is it solely because Combofix discovered that...

c:\windows\system32\winlogon.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!

...or is there a line in all the code that says "This is me! I'm Bamital.D!"
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby askey127 » March 5th, 2011, 8:05 am

Astrum,
Bamital.D infects those two files. They cannot be replaced while Windows is running in Normal Mode.
At the moment, No Antivirus out there will fix this infection, for that very reason. For a while, AVG actually erased the infected files, until they realized that each of those machines then became unbootable. They should have known.
Any AVs now that report the infected files, will not do anything about them.

Our procedure is to locate all the copies of those two files on the machine and move a set of clean copies to the main directory of C:
Then we will use the Recovery Console to move the clean copies into their correct location in place of the infected ones.
If there is another one or two files that serve as the downloader for the infection, we need to find and remove it/them also.

About the backups:
You can usually back up any data files like Text, spreadsheets, Powerpoint presentations, databases, etc. with pretty good assurance. All the Documents and Settings subfolders should be OK to copy except the Application Data Folders.
If you don't backup and save any executable programs, but just data, your backup should be OK
All of this is in case the machine goes belly up and won't boot, forcing you to Re-Install Windows from scratch.

The main thing this infection does is intercept all your internet communications, including keystrokes. So your online typing is at risk, big time. "They" probably already have some of your typed usernames and passwords.
We cannot be 100% sure that the machine is trustworthy even after it has been "fixed". It's always possible that some Security settings have been compromised. This type of infection is called a "Backdoor", and some experts feel that a complete Re-Install of Windows from scratch is the best way to be certain of the Security going forward.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby Astrum » March 5th, 2011, 2:37 pm

Given the potential severity of the infection I think the best bet will be for me to completely wipe everything and start over again from the system recovery disk. I believe it contains the factory image and I'll just reload anything else I need back onto the machine.

Please advise if this would be the best solution and if this will ensure that the virus is definitely and completely removed from the system.

Thanks,
(m)A(d)strum
Astrum
Active Member
 
Posts: 8
Joined: March 2nd, 2011, 11:39 pm

Re: Google redirect/Malware

Unread postby askey127 » March 5th, 2011, 5:32 pm

Astrum,
That is THE BEST solution to be absolutely sure that the machine is safe.
Immediately after you re-install windows, use Internet Explorer > Tools > Windows Update and let it download everything it wants. It will take a while, and there will be several reboots.
Then install an Antivirus. Don't surf without it.
Microsoft Security Essentials is good and free, as is Antivir.
I'm confident you will stay away from torrents and any free shared files.
We are here if you want or need additional Security Suggestions.
Good Luck,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google redirect/Malware

Unread postby askey127 » March 8th, 2011, 8:30 am

Since the Resolution of this topic will utilize a Complete System Recovery, this topic will be closed.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13953
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 67 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware